1FIREWALL-CMD(1)                  firewall-cmd                  FIREWALL-CMD(1)
2
3
4

NAME

6       firewall-cmd - firewalld command line client
7

SYNOPSIS

9       firewall-cmd [OPTIONS...]
10

DESCRIPTION

12       firewall-cmd is the command line client of the firewalld daemon. It
13       provides an interface to manage the runtime and permanent
14       configurations.
15
16       The runtime configuration in firewalld is separated from the permanent
17       configuration. This means that things can get changed in the runtime or
18       permanent configuration.
19

OPTIONS

21       Sequence options are the options that can be specified multiple times,
22       the exit code is 0 if there is at least one item that succeeded. The
23       ALREADY_ENABLED (11), NOT_ENABLED (12) and also ZONE_ALREADY_SET (16)
24       errors are treated as succeeded. If there are issues while parsing the
25       items, then these are treated as warnings and will not change the
26       result as long as there is a succeeded one. Without any succeeded item,
27       the exit code will depend on the error codes. If there is exactly one
28       error code, then this is used. If there are more than one then
29       UNKNOWN_ERROR (254) will be used.
30
31       The following options are supported:
32
33   General Options
34       -h, --help
35           Prints a short help text and exits.
36
37       -V, --version
38           Print the version string of firewalld. This option is not
39           combinable with other options.
40
41       -q, --quiet
42           Do not print status messages.
43
44   Status Options
45       --state
46           Check whether the firewalld daemon is active (i.e. running).
47           Returns an exit code 0 if it is active, RUNNING_BUT_FAILED if
48           failure occurred on startup, NOT_RUNNING otherwise. See the section
49           called “EXIT CODES”. This will also print the state to STDOUT.
50
51       --reload
52           Reload firewall rules and keep state information. Current permanent
53           configuration will become new runtime configuration, i.e. all
54           runtime only changes done until reload are lost with reload if they
55           have not been also in permanent configuration.
56
57           Note: Runtime changes applied via the direct interface are not
58           affected and will therefore stay in place until firewalld daemon is
59           restarted completely.
60
61       --complete-reload
62           Reload firewall completely, even netfilter kernel modules. This
63           will most likely terminate active connections, because state
64           information is lost. This option should only be used in case of
65           severe firewall problems. For example if there are state
66           information problems that no connection can be established with
67           correct firewall rules.
68
69           Note: Runtime changes applied via the direct interface are not
70           affected and will therefore stay in place until firewalld daemon is
71           restarted completely.
72
73       --runtime-to-permanent
74           Save active runtime configuration and overwrite permanent
75           configuration with it. The way this is supposed to work is that
76           when configuring firewalld you do runtime changes only and once
77           you're happy with the configuration and you tested that it works
78           the way you want, you save the configuration to disk.
79
80       --check-config
81           Run checks on the permanent configuration. This includes XML
82           validity and semantics.
83
84   Log Denied Options
85       --get-log-denied
86           Print the log denied setting.
87
88       --set-log-denied=value
89           Add logging rules right before reject and drop rules in the INPUT,
90           FORWARD and OUTPUT chains for the default rules and also final
91           reject and drop rules in zones for the configured link-layer packet
92           type. The possible values are: all, unicast, broadcast, multicast
93           and off. The default setting is off, which disables the logging.
94
95           This is a runtime and permanent change and will also reload the
96           firewall to be able to add the logging rules.
97
98   Permanent Options
99       --permanent
100           The permanent option --permanent can be used to set options
101           permanently. These changes are not effective immediately, only
102           after service restart/reload or system reboot. Without the
103           --permanent option, a change will only be part of the runtime
104           configuration.
105
106           If you want to make a change in runtime and permanent
107           configuration, use the same call with and without the --permanent
108           option.
109
110           The --permanent option can be optionally added to all options
111           further down where it is supported.
112
113   Zone Options
114       --get-default-zone
115           Print default zone for connections and interfaces.
116
117       --set-default-zone=zone
118           Set default zone for connections and interfaces where no zone has
119           been selected. Setting the default zone changes the zone for the
120           connections or interfaces, that are using the default zone.
121
122           This is a runtime and permanent change.
123
124       --get-active-zones
125           Print currently active zones altogether with interfaces and sources
126           used in these zones. Active zones are zones, that have a binding to
127           an interface or source. The output format is:
128
129               zone1
130                 interfaces: interface1 interface2 ..
131                 sources: source1 ..
132               zone2
133                 interfaces: interface3 ..
134               zone3
135                 sources: source2 ..
136
137
138           If there are no interfaces or sources bound to the zone, the
139           corresponding line will be omitted.
140
141       [--permanent] --get-zones
142           Print predefined zones as a space separated list.
143
144       [--permanent] --get-services
145           Print predefined services as a space separated list.
146
147       [--permanent] --get-icmptypes
148           Print predefined icmptypes as a space separated list.
149
150       [--permanent] --get-zone-of-interface=interface
151           Print the name of the zone the interface is bound to or no zone.
152
153       [--permanent] --get-zone-of-source=source[/mask]|MAC|ipset:ipset
154           Print the name of the zone the source is bound to or no zone.
155
156       [--permanent] --info-zone=zone
157           Print information about the zone zone. The output format is:
158
159               zone
160                 interfaces: interface1 ..
161                 sources: source1 ..
162                 services: service1 ..
163                 ports: port1 ..
164                 protocols: protocol1 ..
165                 forward-ports:
166                       forward-port1
167                       ..
168                 source-ports: source-port1 ..
169                 icmp-blocks: icmp-type1 ..
170                 rich rules:
171                       rich-rule1
172                       ..
173
174
175
176       [--permanent] --list-all-zones
177           List everything added for or enabled in all zones. The output
178           format is:
179
180               zone1
181                 interfaces: interface1 ..
182                 sources: source1 ..
183                 services: service1 ..
184                 ports: port1 ..
185                 protocols: protocol1 ..
186                 forward-ports:
187                       forward-port1
188                       ..
189                 icmp-blocks: icmp-type1 ..
190                 rich rules:
191                       rich-rule1
192                       ..
193               ..
194
195
196
197       --permanent --new-zone=zone
198           Add a new permanent and empty zone.
199
200           Zone names must be alphanumeric and may additionally include
201           characters: '_' and '-'.
202
203       --permanent --new-zone-from-file=filename [--name=zone]
204           Add a new permanent zone from a prepared zone file with an optional
205           name override.
206
207       --permanent --delete-zone=zone
208           Delete an existing permanent zone.
209
210       --permanent --load-zone-defaults=zone
211           Load zone default settings or report NO_DEFAULTS error.
212
213       --permanent --path-zone=zone
214           Print path of the zone configuration file.
215
216   Policy Options
217       [--permanent] --get-policies
218           Print predefined policies as a space separated list.
219
220       [--permanent] --info-policy=policy
221           Print information about the policy policy.
222
223       [--permanent] --list-all-policies
224           List everything added for or enabled in all policies.
225
226       --permanent --new-policy=policy
227           Add a new permanent policy.
228
229           Policy names must be alphanumeric and may additionally include
230           characters: '_' and '-'.
231
232       --permanent --new-policy-from-file=filename [--name=policy]
233           Add a new permanent policy from a prepared policy file with an
234           optional name override.
235
236       --permanent --path-policy=policy
237           Print path of the policy configuration file.
238
239       --permanent --delete-policy=policy
240           Delete an existing permanent policy.
241
242       --permanent --load-policy-defaults=policy
243           Load the shipped defaults for a policy. Only applies to policies
244           shipped with firewalld. Does not apply to user defined policies.
245
246   Options to Adapt and Query Zones and Policies
247       Options in this section affect only one particular zone or policy. If
248       used with --zone=zone or --policy=policy option, they affect the
249       specified zone or policy. If both options are omitted, they affect the
250       default zone (see --get-default-zone).
251
252       [--permanent] [--zone=zone] [--policy=policy] --list-all
253           List everything added or enabled.
254
255       --permanent [--zone=zone] [--policy=policy] --get-target
256           Get the target.
257
258       --permanent [--zone=zone] [--policy=policy] --set-target=zone
259           Set the target.
260
261           For zones target is one of: default, ACCEPT, DROP, REJECT
262
263           For policies target is one of: CONTINUE, ACCEPT, DROP, REJECT
264
265           default is similar to REJECT, but has special meaning in the
266           following scenarios:
267
268            1. ICMP explicitly allowed
269
270               At the end of the zone's ruleset ICMP packets are explicitly
271               allowed.
272
273            2. forwarded packets follow the target of the egress zone
274
275               In the case of forwarded packets, if the ingress zone uses
276               default then whether or not the packet will be allowed is
277               determined by the egress zone.
278
279               For a forwarded packet that ingresses zoneA and egresses zoneB:
280
281               •   if zoneA's target is ACCEPT, DROP, or REJECT then the
282                   packet is accepted, dropped, or rejected respectively.
283
284               •   if zoneA's target is default, then the packet is accepted,
285                   dropped, or rejected based on zoneB's target. If zoneB's
286                   target is also default, then the packet will be rejected by
287                   firewalld's catchall reject.
288
289            3. Zone drifting from source-based zone to interface-based zone
290
291               This only applies if AllowZoneDrifting is enabled. See
292               firewalld.conf(5).
293
294               If a packet ingresses a source-based zone with a target of
295               default, it may still enter an interface-based zone (including
296               the default zone).
297
298
299       --permanent [--zone=zone] [--policy=policy]
300       --set-description=description
301           Set description.
302
303       --permanent [--zone=zone] [--policy=policy] --get-description
304           Print description.
305
306       --permanent [--zone=zone] [--policy=policy] --set-short=description
307           Set short description.
308
309       --permanent [--zone=zone] [--policy=policy] --get-short
310           Print short description.
311
312       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
313       --list-services
314           List services added as a space separated list.
315
316       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
317       --add-service=service [--timeout=timeval]
318           Add a service. This option can be specified multiple times. If a
319           timeout is supplied, the rule will be active for the specified
320           amount of time and will be removed automatically afterwards.
321           timeval is either a number (of seconds) or number followed by one
322           of characters s (seconds), m (minutes), h (hours), for example 20m
323           or 1h.
324
325           The service is one of the firewalld provided services. To get a
326           list of the supported services, use firewall-cmd --get-services.
327
328           The --timeout option is not combinable with the --permanent option.
329
330       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
331       --remove-service=service
332           Remove a service. This option can be specified multiple times.
333
334       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
335       --query-service=service
336           Return whether service has been added. Returns 0 if true, 1
337           otherwise.
338
339       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
340       --list-ports
341           List ports added as a space separated list. A port is of the form
342           portid[-portid]/protocol, it can be either a port and protocol pair
343           or a port range with a protocol.
344
345       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
346       --add-port=portid[-portid]/protocol [--timeout=timeval]
347           Add the port. This option can be specified multiple times. If a
348           timeout is supplied, the rule will be active for the specified
349           amount of time and will be removed automatically afterwards.
350           timeval is either a number (of seconds) or number followed by one
351           of characters s (seconds), m (minutes), h (hours), for example 20m
352           or 1h.
353
354           The port can either be a single port number or a port range
355           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
356
357           The --timeout option is not combinable with the --permanent option.
358
359       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
360       --remove-port=portid[-portid]/protocol
361           Remove the port. This option can be specified multiple times.
362
363       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
364       --query-port=portid[-portid]/protocol
365           Return whether the port has been added. Returns 0 if true, 1
366           otherwise.
367
368       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
369       --list-protocols
370           List protocols added as a space separated list.
371
372       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
373       --add-protocol=protocol [--timeout=timeval]
374           Add the protocol. This option can be specified multiple times. If a
375           timeout is supplied, the rule will be active for the specified
376           amount of time and will be removed automatically afterwards.
377           timeval is either a number (of seconds) or number followed by one
378           of characters s (seconds), m (minutes), h (hours), for example 20m
379           or 1h.
380
381           The protocol can be any protocol supported by the system. Please
382           have a look at /etc/protocols for supported protocols.
383
384           The --timeout option is not combinable with the --permanent option.
385
386       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
387       --remove-protocol=protocol
388           Remove the protocol. This option can be specified multiple times.
389
390       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
391       --query-protocol=protocol
392           Return whether the protocol has been added. Returns 0 if true, 1
393           otherwise.
394
395       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
396       --list-source-ports
397           List source ports added as a space separated list. A port is of the
398           form portid[-portid]/protocol.
399
400       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
401       --add-source-port=portid[-portid]/protocol [--timeout=timeval]
402           Add the source port. This option can be specified multiple times.
403           If a timeout is supplied, the rule will be active for the specified
404           amount of time and will be removed automatically afterwards.
405           timeval is either a number (of seconds) or number followed by one
406           of characters s (seconds), m (minutes), h (hours), for example 20m
407           or 1h.
408
409           The port can either be a single port number or a port range
410           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
411
412           The --timeout option is not combinable with the --permanent option.
413
414       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
415       --remove-source-port=portid[-portid]/protocol
416           Remove the source port. This option can be specified multiple
417           times.
418
419       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
420       --query-source-port=portid[-portid]/protocol
421           Return whether the source port has been added. Returns 0 if true, 1
422           otherwise.
423
424       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
425       --list-icmp-blocks
426           List Internet Control Message Protocol (ICMP) type blocks added as
427           a space separated list.
428
429       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
430       --add-icmp-block=icmptype [--timeout=timeval]
431           Add an ICMP block for icmptype. This option can be specified
432           multiple times. If a timeout is supplied, the rule will be active
433           for the specified amount of time and will be removed automatically
434           afterwards.  timeval is either a number (of seconds) or number
435           followed by one of characters s (seconds), m (minutes), h (hours),
436           for example 20m or 1h.
437
438           The icmptype is the one of the icmp types firewalld supports. To
439           get a listing of supported icmp types: firewall-cmd --get-icmptypes
440
441           The --timeout option is not combinable with the --permanent option.
442
443       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
444       --remove-icmp-block=icmptype
445           Remove the ICMP block for icmptype. This option can be specified
446           multiple times.
447
448       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
449       --query-icmp-block=icmptype
450           Return whether an ICMP block for icmptype has been added. Returns 0
451           if true, 1 otherwise.
452
453       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
454       --list-forward-ports
455           List IPv4 forward ports added as a space separated list.
456
457           For IPv6 forward ports, please use the rich language.
458
459       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
460       --add-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
461       [--timeout=timeval]
462           Add the IPv4 forward port. This option can be specified multiple
463           times. If a timeout is supplied, the rule will be active for the
464           specified amount of time and will be removed automatically
465           afterwards.  timeval is either a number (of seconds) or number
466           followed by one of characters s (seconds), m (minutes), h (hours),
467           for example 20m or 1h.
468
469           The port can either be a single port number portid or a port range
470           portid-portid. The protocol can either be tcp, udp, sctp or dccp.
471           The destination address is a simple IP address.
472
473           The --timeout option is not combinable with the --permanent option.
474
475           For IPv6 forward ports, please use the rich language.
476
477           Note: IP forwarding will be implicitly enabled if toaddr is
478           specified.
479
480       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
481       --remove-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
482           Remove the IPv4 forward port. This option can be specified multiple
483           times.
484
485           For IPv6 forward ports, please use the rich language.
486
487       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
488       --query-forward-port=port=portid[-portid]:proto=protocol[:toport=portid[-portid]][:toaddr=address[/mask]]
489           Return whether the IPv4 forward port has been added. Returns 0 if
490           true, 1 otherwise.
491
492           For IPv6 forward ports, please use the rich language.
493
494       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
495       --add-masquerade [--timeout=timeval]
496           Enable IPv4 masquerade. If a timeout is supplied, masquerading will
497           be active for the specified amount of time.  timeval is either a
498           number (of seconds) or number followed by one of characters s
499           (seconds), m (minutes), h (hours), for example 20m or 1h.
500           Masquerading is useful if the machine is a router and machines
501           connected over an interface in another zone should be able to use
502           the first connection.
503
504           The --timeout option is not combinable with the --permanent option.
505
506           For IPv6 masquerading, please use the rich language.
507
508           Note: IP forwarding will be implicitly enabled.
509
510       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
511       --remove-masquerade
512           Disable IPv4 masquerade. If the masquerading was enabled with a
513           timeout, it will be disabled also.
514
515           For IPv6 masquerading, please use the rich language.
516
517       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
518       --query-masquerade
519           Return whether IPv4 masquerading has been enabled. Returns 0 if
520           true, 1 otherwise.
521
522           For IPv6 masquerading, please use the rich language.
523
524       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
525       --list-rich-rules
526           List rich language rules added as a newline separated list.
527
528       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
529       --add-rich-rule='rule' [--timeout=timeval]
530           Add rich language rule 'rule'. This option can be specified
531           multiple times. If a timeout is supplied, the rule will be active
532           for the specified amount of time and will be removed automatically
533           afterwards.  timeval is either a number (of seconds) or number
534           followed by one of characters s (seconds), m (minutes), h (hours),
535           for example 20m or 1h.
536
537           For the rich language rule syntax, please have a look at
538           firewalld.richlanguage(5).
539
540           The --timeout option is not combinable with the --permanent option.
541
542       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
543       --remove-rich-rule='rule'
544           Remove rich language rule 'rule'. This option can be specified
545           multiple times.
546
547           For the rich language rule syntax, please have a look at
548           firewalld.richlanguage(5).
549
550       [--permanent] [--zone=zone] [--permanent] [--policy=policy]
551       --query-rich-rule='rule'
552           Return whether a rich language rule 'rule' has been added. Returns
553           0 if true, 1 otherwise.
554
555           For the rich language rule syntax, please have a look at
556           firewalld.richlanguage(5).
557
558   Options to Adapt and Query Zones
559       Options in this section affect only one particular zone. If used with
560       --zone=zone option, they affect the specified zone. If the option is
561       omitted, they affect default zone (see --get-default-zone).
562
563       [--permanent] [--zone=zone] --add-icmp-block-inversion
564           Enable ICMP block inversion.
565
566       [--permanent] [--zone=zone] --remove-icmp-block-inversion
567           Disable ICMP block inversion.
568
569       [--permanent] [--zone=zone] --query-icmp-block-inversion
570           Return whether ICMP block inversion is enabled. Returns 0 if true,
571           1 otherwise.
572
573       [--permanent] [--zone=zone] --add-forward
574           Enable intra zone forwarding.
575
576       [--permanent] [--zone=zone] --remove-forward
577           Disable intra zone forwarding.
578
579       [--permanent] [--zone=zone] --query-forward
580           Return whether intra zone forwarding is enabled. Returns 0 if true,
581           1 otherwise.
582
583   Options to Adapt and Query Policies
584       Options in this section affect only one particular policy. It's
585       required to specify --policy=policy with these options.
586
587       --permanent --policy=policy --get-priority
588           Get the priority.
589
590       --permanent --policy=policy --set-prioritypriority
591           Set the priority. The priority determines the relative ordering of
592           policies. This is an integer value between -32768 and 32767 where
593           -1 is the default value for new policies and 0 is reserved for
594           internal use.
595
596           If a priority is < 0, then the policy's rules will execute before
597           all rules in all zones.
598
599           If a priority is > 0, then the policy's rules will execute after
600           all rules in all zones.
601
602       [--permanent] --policy=policy --list-ingress-zones
603           List ingress zones added as a space separated list.
604
605       [--permanent] --policy=policy --add-ingress-zone=zone
606           Add an ingress zone. This option can be specified multiple times.
607
608           The ingress zone is one of the firewalld provided zones or one of
609           the pseudo-zones: HOST, ANY.
610
611           HOST is used for traffic originating from the host machine, i.e.
612           the host running firewalld.
613
614           ANY is used for traffic originating from any zone. This can be
615           thought of as a wild card for zones. However it does not include
616           traffic originating from the host machine - use HOST for that.
617
618       [--permanent] --policy=policy --remove-ingress-zone=zone
619           Remove an ingress zone. This option can be specified multiple
620           times.
621
622       [--permanent] --policy=policy --query-ingress-zone=zone
623           Return whether zone has been added. Returns 0 if true, 1 otherwise.
624
625       [--permanent] --policy=policy --list-egress-zones
626           List egress zones added as a space separated list.
627
628       [--permanent] --policy=policy --add-egress-zone=zone
629           Add an egress zone. This option can be specified multiple times.
630
631           The egress zone is one of the firewalld provided zones or one of
632           the pseudo-zones: HOST, ANY.
633
634           For clarification on HOST and ANY see option --add-ingress-zone.
635
636       [--permanent] --policy=policy --remove-egress-zone=zone
637           Remove an egress zone. This option can be specified multiple times.
638
639       [--permanent] --policy=policy --query-egress-zone=zone
640           Return whether zone has been added. Returns 0 if true, 1 otherwise.
641
642   Options to Handle Bindings of Interfaces
643       Binding an interface to a zone means that this zone settings are used
644       to restrict traffic via the interface.
645
646       Options in this section affect only one particular zone. If used with
647       --zone=zone option, they affect the zone zone. If the option is
648       omitted, they affect default zone (see --get-default-zone).
649
650       For a list of predefined zones use firewall-cmd --get-zones.
651
652       An interface name is a string up to 16 characters long, that may not
653       contain ' ', '/', '!' and '*'.
654
655       [--permanent] [--zone=zone] --list-interfaces
656           List interfaces that are bound to zone zone as a space separated
657           list. If zone is omitted, default zone will be used.
658
659       [--permanent] [--zone=zone] --add-interface=interface
660           Bind interface interface to zone zone. If zone is omitted, default
661           zone will be used.
662
663           If the interface is under control of NetworkManager, it is at first
664           connected to change the zone for the connection that is using the
665           interface. If this fails, the zone binding is created in firewalld
666           and the limitations below apply. For interfaces that are not under
667           control of NetworkManager, firewalld tries to change the ZONE
668           setting in the ifcfg file, if the file exists.
669
670           As a end user you don't need this in most cases, because
671           NetworkManager (or legacy network service) adds interfaces into
672           zones automatically (according to ZONE= option from ifcfg-interface
673           file) if NM_CONTROLLED=no is not set. You should do it only if
674           there's no /etc/sysconfig/network-scripts/ifcfg-interface file. If
675           there is such file and you add interface to zone with this
676           --add-interface option, make sure the zone is the same in both
677           cases, otherwise the behaviour would be undefined. Please also have
678           a look at the firewalld(1) man page in the Concepts section. For
679           permanent association of interface with a zone, see also 'How to
680           set or change a zone for a connection?' in firewalld.zones(5).
681
682       [--permanent] [--zone=zone] --change-interface=interface
683           If the interface is under control of NetworkManager, it is at first
684           connected to change the zone for the connection that is using the
685           interface. If this fails, the zone binding is created in firewalld
686           and the limitations below apply. For interfaces that are not under
687           control of NetworkManager, firewalld tries to change the ZONE
688           setting in the ifcfg file, if the file exists.
689
690           Change zone the interface interface is bound to to zone zone. It's
691           basically --remove-interface followed by --add-interface. If the
692           interface has not been bound to a zone before, it behaves like
693           --add-interface. If zone is omitted, default zone will be used.
694
695       [--permanent] [--zone=zone] --query-interface=interface
696           Query whether interface interface is bound to zone zone. Returns 0
697           if true, 1 otherwise.
698
699       [--permanent] --remove-interface=interface
700           If the interface is under control of NetworkManager, it is at first
701           connected to change the zone for the connection that is using the
702           interface. If this fails, the zone binding is created in firewalld
703           and the limitations below apply.
704
705           For the addion or change of interfaces that are not under control
706           of NetworkManager: firewalld tries to change the ZONE setting in
707           the ifcfg file, if an ifcfg file exists that is using the
708           interface.
709
710           Only for the removal of interfaces that are not under control of
711           NetworkManager: firewalld is not trying to change the ZONE setting
712           in the ifcfg file. This is needed to make sure that an ifdown of
713           the interface will not result in a reset of the zone setting to the
714           default zone. Only the zone binding is then removed in firewalld
715           then.
716
717           Remove binding of interface interface from zone it was previously
718           added to.
719
720   Options to Handle Bindings of Sources
721       Binding a source to a zone means that this zone settings will be used
722       to restrict traffic from this source.
723
724       A source address or address range is either an IP address or a network
725       IP address with a mask for IPv4 or IPv6 or a MAC address or an ipset
726       with the ipset: prefix. For IPv4, the mask can be a network mask or a
727       plain number. For IPv6 the mask is a plain number. The use of host
728       names is not supported.
729
730       Options in this section affect only one particular zone. If used with
731       --zone=zone option, they affect the zone zone. If the option is
732       omitted, they affect default zone (see --get-default-zone).
733
734       For a list of predefined zones use firewall-cmd [--permanent]
735       --get-zones.
736
737       [--permanent] [--zone=zone] --list-sources
738           List sources that are bound to zone zone as a space separated list.
739           If zone is omitted, default zone will be used.
740
741       [--permanent] [--zone=zone] --add-source=source[/mask]|MAC|ipset:ipset
742           Bind the source to zone zone. If zone is omitted, default zone will
743           be used.
744
745       [--zone=zone] --change-source=source[/mask]|MAC|ipset:ipset
746           Change zone the source is bound to to zone zone. It's basically
747           --remove-source followed by --add-source. If the source has not
748           been bound to a zone before, it behaves like --add-source. If zone
749           is omitted, default zone will be used.
750
751       [--permanent] [--zone=zone]
752       --query-source=source[/mask]|MAC|ipset:ipset
753           Query whether the source is bound to the zone zone. Returns 0 if
754           true, 1 otherwise.
755
756       [--permanent] --remove-source=source[/mask]|MAC|ipset:ipset
757           Remove binding of the source from zone it was previously added to.
758
759   IPSet Options
760       --get-ipset-types
761           Print the supported ipset types.
762
763       --permanent --new-ipset=ipset --type=type [--family=inet|inet6]
764       [--option=key[=value]]
765           Add a new permanent and empty ipset with specifying the type and
766           optional the family and options like timeout, hashsize and maxelem.
767           For more information please have a look at ipset(8) man page.
768
769           ipset names must be alphanumeric and may additionally include
770           characters: '_' and '-'.
771
772       --permanent --new-ipset-from-file=filename [--name=ipset]
773           Add a new permanent ipset from a prepared ipset file with an
774           optional name override.
775
776       --permanent --delete-ipset=ipset
777           Delete an existing permanent ipset.
778
779       --permanent --load-ipset-defaults=ipset
780           Load ipset default settings or report NO_DEFAULTS error.
781
782       [--permanent] --info-ipset=ipset
783           Print information about the ipset ipset. The output format is:
784
785               ipset
786                 type: type
787                 options: option1[=value1] ..
788                 entries: entry1 ..
789
790
791
792       [--permanent] --get-ipsets
793           Print predefined ipsets as a space separated list.
794
795       --permanent --ipset=ipset --set-description=description
796           Set new description to ipset
797
798       --permanent --ipset=ipset --get-description
799           Print description for ipset
800
801       --permanent --ipset=ipset --set-short=description
802           Set short description to ipset
803
804       --permanent --ipset=ipset --get-short
805           Print short description for ipset
806
807       [--permanent] --ipset=ipset --add-entry=entry
808           Add a new entry to the ipset.
809
810           Adding an entry to an ipset with option timeout is permitted, but
811           these entries are not tracked by firewalld.
812
813       [--permanent] --ipset=ipset --remove-entry=entry
814           Remove an entry from the ipset.
815
816       [--permanent] --ipset=ipset --query-entry=entry
817           Return whether the entry has been added to an ipset. Returns 0 if
818           true, 1 otherwise.
819
820           Querying an ipset with a timeout will yield an error. Entries are
821           not tracked for ipsets with a timeout.
822
823       [--permanent] --ipset=ipset --get-entries
824           List all entries of the ipset.
825
826       [--permanent] --ipset=ipset --add-entries-from-file=filename
827           Add a new entries to the ipset from the file. For all entries that
828           are listed in the file but already in the ipset, a warning will be
829           printed.
830
831           The file should contain an entry per line. Lines starting with an
832           hash or semicolon are ignored. Also empty lines.
833
834       [--permanent] --ipset=ipset --remove-entries-from-file=filename
835           Remove existing entries from the ipset from the file. For all
836           entries that are listed in the file but not in the ipset, a warning
837           will be printed.
838
839           The file should contain an entry per line. Lines starting with an
840           hash or semicolon are ignored. Also empty lines.
841
842       --permanent --path-ipset=ipset
843           Print path of the ipset configuration file.
844
845   Service Options
846       Options in this section affect only one particular service.
847
848       [--permanent] --info-service=service
849           Print information about the service service. The output format is:
850
851               service
852                 ports: port1 ..
853                 protocols: protocol1 ..
854                 source-ports: source-port1 ..
855                 helpers: helper1 ..
856                 destination: ipv1:address1 ..
857
858
859
860       The following options are only usable in the permanent configuration.
861
862       --permanent --new-service=service
863           Add a new permanent and empty service.
864
865           Service names must be alphanumeric and may additionally include
866           characters: '_' and '-'.
867
868       --permanent --new-service-from-file=filename [--name=service]
869           Add a new permanent service from a prepared service file with an
870           optional name override.
871
872       --permanent --delete-service=service
873           Delete an existing permanent service.
874
875       --permanent --load-service-defaults=service
876           Load service default settings or report NO_DEFAULTS error.
877
878       --permanent --path-service=service
879           Print path of the service configuration file.
880
881       --permanent --service=service --set-description=description
882           Set new description to service
883
884       --permanent --service=service --get-description
885           Print description for service
886
887       --permanent --service=service --set-short=description
888           Set short description to service
889
890       --permanent --service=service --get-short
891           Print short description for service
892
893       --permanent --service=service --add-port=portid[-portid]/protocol
894           Add a new port to the permanent service.
895
896       --permanent --service=service --remove-port=portid[-portid]/protocol
897           Remove a port from the permanent service.
898
899       --permanent --service=service --query-port=portid[-portid]/protocol
900           Return wether the port has been added to the permanent service.
901
902       --permanent --service=service --get-ports
903           List ports added to the permanent service.
904
905       --permanent --service=service --add-protocol=protocol
906           Add a new protocol to the permanent service.
907
908       --permanent --service=service --remove-protocol=protocol
909           Remove a protocol from the permanent service.
910
911       --permanent --service=service --query-protocol=protocol
912           Return wether the protocol has been added to the permanent service.
913
914       --permanent --service=service --get-protocols
915           List protocols added to the permanent service.
916
917       --permanent --service=service
918       --add-source-port=portid[-portid]/protocol
919           Add a new source port to the permanent service.
920
921       --permanent --service=service
922       --remove-source-port=portid[-portid]/protocol
923           Remove a source port from the permanent service.
924
925       --permanent --service=service
926       --query-source-port=portid[-portid]/protocol
927           Return wether the source port has been added to the permanent
928           service.
929
930       --permanent --service=service --get-source-ports
931           List source ports added to the permanent service.
932
933       --permanent --service=service --add-helper=helper
934           Add a new helper to the permanent service.
935
936       --permanent --service=service --remove-helper=helper
937           Remove a helper from the permanent service.
938
939       --permanent --service=service --query-helper=helper
940           Return wether the helper has been added to the permanent service.
941
942       --permanent --service=service --get-service-helpers
943           List helpers added to the permanent service.
944
945       --permanent --service=service --set-destination=ipv:address[/mask]
946           Set destination for ipv to address[/mask] in the permanent service.
947
948       --permanent --service=service --remove-destination=ipv
949           Remove the destination for ipv from the permanent service.
950
951       --permanent --service=service --query-destination=ipv:address[/mask]
952           Return wether the destination ipv to address[/mask] has been set in
953           the permanent service.
954
955       --permanent --service=service --get-destinations
956           List destinations added to the permanent service.
957
958       --permanent --service=service --add-include=service
959           Add a new include to the permanent service.
960
961       --permanent --service=service --remove-include=service
962           Remove a include from the permanent service.
963
964       --permanent --service=service --query-include=service
965           Return wether the include has been added to the permanent service.
966
967       --permanent --service=service --get-includes
968           List includes added to the permanent service.
969
970   Helper Options
971       Options in this section affect only one particular helper.
972
973       [--permanent] --info-helper=helper
974           Print information about the helper helper. The output format is:
975
976               helper
977                 family: family
978                 module: module
979                 ports: port1 ..
980
981
982
983       The following options are only usable in the permanent configuration.
984
985       --permanent --new-helper=helper --module=nf_conntrack_module
986       [--family=ipv4|ipv6]
987           Add a new permanent helper with module and optionally family
988           defined.
989
990           Helper names must be alphanumeric and may additionally include
991           characters: '-'.
992
993       --permanent --new-helper-from-file=filename [--name=helper]
994           Add a new permanent helper from a prepared helper file with an
995           optional name override.
996
997       --permanent --delete-helper=helper
998           Delete an existing permanent helper.
999
1000       --permanent --load-helper-defaults=helper
1001           Load helper default settings or report NO_DEFAULTS error.
1002
1003       --permanent --path-helper=helper
1004           Print path of the helper configuration file.
1005
1006       [--permanent] --get-helpers
1007           Print predefined helpers as a space separated list.
1008
1009       --permanent --helper=helper --set-description=description
1010           Set new description to helper
1011
1012       --permanent --helper=helper --get-description
1013           Print description for helper
1014
1015       --permanent --helper=helper --set-short=description
1016           Set short description to helper
1017
1018       --permanent --helper=helper --get-short
1019           Print short description for helper
1020
1021       --permanent --helper=helper --add-port=portid[-portid]/protocol
1022           Add a new port to the permanent helper.
1023
1024       --permanent --helper=helper --remove-port=portid[-portid]/protocol
1025           Remove a port from the permanent helper.
1026
1027       --permanent --helper=helper --query-port=portid[-portid]/protocol
1028           Return wether the port has been added to the permanent helper.
1029
1030       --permanent --helper=helper --get-ports
1031           List ports added to the permanent helper.
1032
1033       --permanent --helper=helper --set-module=description
1034           Set module description for helper
1035
1036       --permanent --helper=helper --get-module
1037           Print module description for helper
1038
1039       --permanent --helper=helper --set-family=description
1040           Set family description for helper
1041
1042       --permanent --helper=helper --get-family
1043           Print family description of helper
1044
1045   Internet Control Message Protocol (ICMP) type Options
1046       Options in this section affect only one particular icmptype.
1047
1048       [--permanent] --info-icmptype=icmptype
1049           Print information about the icmptype icmptype. The output format
1050           is:
1051
1052               icmptype
1053                 destination: ipv1 ..
1054
1055
1056
1057       The following options are only usable in the permanent configuration.
1058
1059       --permanent --new-icmptype=icmptype
1060           Add a new permanent and empty icmptype.
1061
1062           ICMP type names must be alphanumeric and may additionally include
1063           characters: '_' and '-'.
1064
1065       --permanent --new-icmptype-from-file=filename [--name=icmptype]
1066           Add a new permanent icmptype from a prepared icmptype file with an
1067           optional name override.
1068
1069       --permanent --delete-icmptype=icmptype
1070           Delete an existing permanent icmptype.
1071
1072       --permanent --load-icmptype-defaults=icmptype
1073           Load icmptype default settings or report NO_DEFAULTS error.
1074
1075       --permanent --icmptype=icmptype --set-description=description
1076           Set new description to icmptype
1077
1078       --permanent --icmptype=icmptype --get-description
1079           Print description for icmptype
1080
1081       --permanent --icmptype=icmptype --set-short=description
1082           Set short description to icmptype
1083
1084       --permanent --icmptype=icmptype --get-short
1085           Print short description for icmptype
1086
1087       --permanent --icmptype=icmptype --add-destination=ipv
1088           Enable destination for ipv in permanent icmptype. ipv is one of
1089           ipv4 or ipv6.
1090
1091       --permanent --icmptype=icmptype --remove-destination=ipv
1092           Disable destination for ipv in permanent icmptype. ipv is one of
1093           ipv4 or ipv6.
1094
1095       --permanent --icmptype=icmptype --query-destination=ipv
1096           Return whether destination for ipv is enabled in permanent
1097           icmptype. ipv is one of ipv4 or ipv6.
1098
1099       --permanent --icmptype=icmptype --get-destinations
1100           List destinations in permanent icmptype.
1101
1102       --permanent --path-icmptype=icmptype
1103           Print path of the icmptype configuration file.
1104
1105   Direct Options
1106       The direct options give a more direct access to the firewall. These
1107       options require user to know basic iptables concepts, i.e.  table
1108       (filter/mangle/nat/...), chain (INPUT/OUTPUT/FORWARD/...), commands
1109       (-A/-D/-I/...), parameters (-p/-s/-d/-j/...) and targets
1110       (ACCEPT/DROP/REJECT/...).
1111
1112       Direct options should be used only as a last resort when it's not
1113       possible to use for example --add-service=service or
1114       --add-rich-rule='rule'.
1115
1116       Warning: Direct rules behavior is different depending on the value of
1117       FirewallBackend. See CAVEATS in firewalld.direct(5).
1118
1119       The first argument of each option has to be ipv4 or ipv6 or eb. With
1120       ipv4 it will be for IPv4 (iptables(8)), with ipv6 for IPv6
1121       (ip6tables(8)) and with eb for ethernet bridges (ebtables(8)).
1122
1123       [--permanent] --direct --get-all-chains
1124           Get all chains added to all tables. This option concerns only
1125           chains previously added with --direct --add-chain.
1126
1127       [--permanent] --direct --get-chains { ipv4 | ipv6 | eb } table
1128           Get all chains added to table table as a space separated list. This
1129           option concerns only chains previously added with --direct
1130           --add-chain.
1131
1132       [--permanent] --direct --add-chain { ipv4 | ipv6 | eb } table chain
1133           Add a new chain with name chain to table table. Make sure there's
1134           no other chain with this name already.
1135
1136           There already exist basic chains to use with direct options, for
1137           example INPUT_direct chain (see iptables-save | grep direct output
1138           for all of them). These chains are jumped into before chains for
1139           zones, i.e. every rule put into INPUT_direct will be checked before
1140           rules in zones.
1141
1142       [--permanent] --direct --remove-chain { ipv4 | ipv6 | eb } table chain
1143           Remove chain with name chain from table table. Only chains
1144           previously added with --direct --add-chain can be removed this way.
1145
1146       [--permanent] --direct --query-chain { ipv4 | ipv6 | eb } table chain
1147           Return whether a chain with name chain exists in table table.
1148           Returns 0 if true, 1 otherwise. This option concerns only chains
1149           previously added with --direct --add-chain.
1150
1151       [--permanent] --direct --get-all-rules
1152           Get all rules added to all chains in all tables as a newline
1153           separated list of the priority and arguments. This option concerns
1154           only rules previously added with --direct --add-rule.
1155
1156       [--permanent] --direct --get-rules { ipv4 | ipv6 | eb } table chain
1157           Get all rules added to chain chain in table table as a newline
1158           separated list of the priority and arguments. This option concerns
1159           only rules previously added with --direct --add-rule.
1160
1161       [--permanent] --direct --add-rule { ipv4 | ipv6 | eb } table chain
1162       priority args
1163           Add a rule with the arguments args to chain chain in table table
1164           with priority priority.
1165
1166           The priority is used to order rules. Priority 0 means add rule on
1167           top of the chain, with a higher priority the rule will be added
1168           further down. Rules with the same priority are on the same level
1169           and the order of these rules is not fixed and may change. If you
1170           want to make sure that a rule will be added after another one, use
1171           a low priority for the first and a higher for the following.
1172
1173       [--permanent] --direct --remove-rule { ipv4 | ipv6 | eb } table chain
1174       priority args
1175           Remove a rule with priority and the arguments args from chain chain
1176           in table table. Only rules previously added with --direct
1177           --add-rule can be removed this way.
1178
1179       [--permanent] --direct --remove-rules { ipv4 | ipv6 | eb } table chain
1180           Remove all rules in the chain with name chain exists in table
1181           table. This option concerns only rules previously added with
1182           --direct --add-rule in this chain.
1183
1184       [--permanent] --direct --query-rule { ipv4 | ipv6 | eb } table chain
1185       priority args
1186           Return whether a rule with priority and the arguments args exists
1187           in chain chain in table table. Returns 0 if true, 1 otherwise. This
1188           option concerns only rules previously added with --direct
1189           --add-rule.
1190
1191       --direct --passthrough { ipv4 | ipv6 | eb } args
1192           Pass a command through to the firewall.  args can be all iptables,
1193           ip6tables and ebtables command line arguments. This command is
1194           untracked, which means that firewalld is not able to provide
1195           information about this command later on, also not a listing of the
1196           untracked passthoughs.
1197
1198       [--permanent] --direct --get-all-passthroughs
1199           Get all passthrough rules as a newline separated list of the ipv
1200           value and arguments.
1201
1202       [--permanent] --direct --get-passthroughs { ipv4 | ipv6 | eb }
1203           Get all passthrough rules for the ipv value as a newline separated
1204           list of the priority and arguments.
1205
1206       [--permanent] --direct --add-passthrough { ipv4 | ipv6 | eb } args
1207           Add a passthrough rule with the arguments args for the ipv value.
1208
1209       [--permanent] --direct --remove-passthrough { ipv4 | ipv6 | eb } args
1210           Remove a passthrough rule with the arguments args for the ipv
1211           value.
1212
1213       [--permanent] --direct --query-passthrough { ipv4 | ipv6 | eb } args
1214           Return whether a passthrough rule with the arguments args exists
1215           for the ipv value. Returns 0 if true, 1 otherwise.
1216
1217   Lockdown Options
1218       Local applications or services are able to change the firewall
1219       configuration if they are running as root (example: libvirt) or are
1220       authenticated using PolicyKit. With this feature administrators can
1221       lock the firewall configuration so that only applications on lockdown
1222       whitelist are able to request firewall changes.
1223
1224       The lockdown access check limits D-Bus methods that are changing
1225       firewall rules. Query, list and get methods are not limited.
1226
1227       The lockdown feature is a very light version of user and application
1228       policies for firewalld and is turned off by default.
1229
1230       --lockdown-on
1231           Enable lockdown. Be careful - if firewall-cmd is not on lockdown
1232           whitelist when you enable lockdown you won't be able to disable it
1233           again with firewall-cmd, you would need to edit firewalld.conf.
1234
1235           This is a runtime and permanent change.
1236
1237       --lockdown-off
1238           Disable lockdown.
1239
1240           This is a runtime and permanent change.
1241
1242       --query-lockdown
1243           Query whether lockdown is enabled. Returns 0 if lockdown is
1244           enabled, 1 otherwise.
1245
1246   Lockdown Whitelist Options
1247       The lockdown whitelist can contain commands, contexts, users and user
1248       ids.
1249
1250       If a command entry on the whitelist ends with an asterisk '*', then all
1251       command lines starting with the command will match. If the '*' is not
1252       there the absolute command inclusive arguments must match.
1253
1254       Command paths for users are not always the same and depends on the
1255       users PATH. Some distributions symlink /bin to /usr/bin in which case
1256       it depends on the order they appear in the PATH environment variable.
1257
1258       The context is the security (SELinux) context of a running application
1259       or service. To get the context of a running application use ps -e
1260       --context.
1261
1262       Warning: If the context is unconfined, then this will open access for
1263       more than the desired application.
1264
1265       The lockdown whitelist entries are checked in the following order:
1266           1. context
1267           2. uid
1268           3. user
1269           4. command
1270
1271       [--permanent] --list-lockdown-whitelist-commands
1272           List all command lines that are on the whitelist.
1273
1274       [--permanent] --add-lockdown-whitelist-command=command
1275           Add the command to the whitelist.
1276
1277       [--permanent] --remove-lockdown-whitelist-command=command
1278           Remove the command from the whitelist.
1279
1280       [--permanent] --query-lockdown-whitelist-command=command
1281           Query whether the command is on the whitelist. Returns 0 if true, 1
1282           otherwise.
1283
1284       [--permanent] --list-lockdown-whitelist-contexts
1285           List all contexts that are on the whitelist.
1286
1287       [--permanent] --add-lockdown-whitelist-context=context
1288           Add the context context to the whitelist.
1289
1290       [--permanent] --remove-lockdown-whitelist-context=context
1291           Remove the context from the whitelist.
1292
1293       [--permanent] --query-lockdown-whitelist-context=context
1294           Query whether the context is on the whitelist. Returns 0 if true, 1
1295           otherwise.
1296
1297       [--permanent] --list-lockdown-whitelist-uids
1298           List all user ids that are on the whitelist.
1299
1300       [--permanent] --add-lockdown-whitelist-uid=uid
1301           Add the user id uid to the whitelist.
1302
1303       [--permanent] --remove-lockdown-whitelist-uid=uid
1304           Remove the user id uid from the whitelist.
1305
1306       [--permanent] --query-lockdown-whitelist-uid=uid
1307           Query whether the user id uid is on the whitelist. Returns 0 if
1308           true, 1 otherwise.
1309
1310       [--permanent] --list-lockdown-whitelist-users
1311           List all user names that are on the whitelist.
1312
1313       [--permanent] --add-lockdown-whitelist-user=user
1314           Add the user name user to the whitelist.
1315
1316       [--permanent] --remove-lockdown-whitelist-user=user
1317           Remove the user name user from the whitelist.
1318
1319       [--permanent] --query-lockdown-whitelist-user=user
1320           Query whether the user name user is on the whitelist. Returns 0 if
1321           true, 1 otherwise.
1322
1323   Panic Options
1324       --panic-on
1325           Enable panic mode. All incoming and outgoing packets are dropped,
1326           active connections will expire. Enable this only if there are
1327           serious problems with your network environment. For example if the
1328           machine is getting hacked in.
1329
1330           This is a runtime only change.
1331
1332       --panic-off
1333           Disable panic mode. After disabling panic mode established
1334           connections might work again, if panic mode was enabled for a short
1335           period of time.
1336
1337           This is a runtime only change.
1338
1339       --query-panic
1340           Returns 0 if panic mode is enabled, 1 otherwise.
1341

EXAMPLES

1343       For more examples see http://fedoraproject.org/wiki/FirewallD
1344
1345   Example 1
1346       Enable http service in default zone. This is runtime only change, i.e.
1347       effective until restart.
1348
1349           firewall-cmd --add-service=http
1350
1351
1352
1353   Example 2
1354       Enable port 443/tcp immediately and permanently in default zone. To
1355       make the change effective immediately and also after restart we need
1356       two commands. The first command makes the change in runtime
1357       configuration, i.e. makes it effective immediately, until restart. The
1358       second command makes the change in permanent configuration, i.e. makes
1359       it effective after restart.
1360
1361           firewall-cmd --add-port=443/tcp
1362           firewall-cmd --permanent --add-port=443/tcp
1363
1364
1365

EXIT CODES

1367       On success 0 is returned. On failure the output is red colored and exit
1368       code is either 2 in case of wrong command-line option usage or one of
1369       the following error codes in other cases:
1370
1371       ┌────────────────────┬──────┐
1372String              Code 
1373       ├────────────────────┼──────┤
1374       │ALREADY_ENABLED     │   11 │
1375       ├────────────────────┼──────┤
1376       │NOT_ENABLED         │   12 │
1377       ├────────────────────┼──────┤
1378       │COMMAND_FAILED      │   13 │
1379       ├────────────────────┼──────┤
1380       │NO_IPV6_NAT         │   14 │
1381       ├────────────────────┼──────┤
1382       │PANIC_MODE          │   15 │
1383       ├────────────────────┼──────┤
1384       │ZONE_ALREADY_SET    │   16 │
1385       ├────────────────────┼──────┤
1386       │UNKNOWN_INTERFACE   │   17 │
1387       ├────────────────────┼──────┤
1388       │ZONE_CONFLICT       │   18 │
1389       ├────────────────────┼──────┤
1390       │BUILTIN_CHAIN       │   19 │
1391       ├────────────────────┼──────┤
1392       │EBTABLES_NO_REJECT  │   20 │
1393       ├────────────────────┼──────┤
1394       │NOT_OVERLOADABLE    │   21 │
1395       ├────────────────────┼──────┤
1396       │NO_DEFAULTS         │   22 │
1397       ├────────────────────┼──────┤
1398       │BUILTIN_ZONE        │   23 │
1399       ├────────────────────┼──────┤
1400       │BUILTIN_SERVICE     │   24 │
1401       ├────────────────────┼──────┤
1402       │BUILTIN_ICMPTYPE    │   25 │
1403       ├────────────────────┼──────┤
1404       │NAME_CONFLICT       │   26 │
1405       ├────────────────────┼──────┤
1406       │NAME_MISMATCH       │   27 │
1407       ├────────────────────┼──────┤
1408       │PARSE_ERROR         │   28 │
1409       ├────────────────────┼──────┤
1410       │ACCESS_DENIED       │   29 │
1411       ├────────────────────┼──────┤
1412       │UNKNOWN_SOURCE      │   30 │
1413       ├────────────────────┼──────┤
1414       │RT_TO_PERM_FAILED   │   31 │
1415       ├────────────────────┼──────┤
1416       │IPSET_WITH_TIMEOUT  │   32 │
1417       ├────────────────────┼──────┤
1418       │BUILTIN_IPSET       │   33 │
1419       ├────────────────────┼──────┤
1420       │ALREADY_SET         │   34 │
1421       ├────────────────────┼──────┤
1422       │MISSING_IMPORT      │   35 │
1423       ├────────────────────┼──────┤
1424       │DBUS_ERROR          │   36 │
1425       ├────────────────────┼──────┤
1426       │BUILTIN_HELPER      │   37 │
1427       ├────────────────────┼──────┤
1428       │NOT_APPLIED         │   38 │
1429       ├────────────────────┼──────┤
1430       │INVALID_ACTION      │  100 │
1431       ├────────────────────┼──────┤
1432       │INVALID_SERVICE     │  101 │
1433       ├────────────────────┼──────┤
1434       │INVALID_PORT        │  102 │
1435       ├────────────────────┼──────┤
1436       │INVALID_PROTOCOL    │  103 │
1437       ├────────────────────┼──────┤
1438       │INVALID_INTERFACE   │  104 │
1439       ├────────────────────┼──────┤
1440       │INVALID_ADDR        │  105 │
1441       ├────────────────────┼──────┤
1442       │INVALID_FORWARD     │  106 │
1443       ├────────────────────┼──────┤
1444       │INVALID_ICMPTYPE    │  107 │
1445       ├────────────────────┼──────┤
1446       │INVALID_TABLE       │  108 │
1447       ├────────────────────┼──────┤
1448       │INVALID_CHAIN       │  109 │
1449       ├────────────────────┼──────┤
1450       │INVALID_TARGET      │  110 │
1451       ├────────────────────┼──────┤
1452       │INVALID_IPV         │  111 │
1453       ├────────────────────┼──────┤
1454       │INVALID_ZONE        │  112 │
1455       ├────────────────────┼──────┤
1456       │INVALID_PROPERTY    │  113 │
1457       ├────────────────────┼──────┤
1458       │INVALID_VALUE       │  114 │
1459       ├────────────────────┼──────┤
1460       │INVALID_OBJECT      │  115 │
1461       ├────────────────────┼──────┤
1462       │INVALID_NAME        │  116 │
1463       ├────────────────────┼──────┤
1464       │INVALID_FILENAME    │  117 │
1465       ├────────────────────┼──────┤
1466       │INVALID_DIRECTORY   │  118 │
1467       ├────────────────────┼──────┤
1468       │INVALID_TYPE        │  119 │
1469       ├────────────────────┼──────┤
1470       │INVALID_SETTING     │  120 │
1471       ├────────────────────┼──────┤
1472       │INVALID_DESTINATION │  121 │
1473       ├────────────────────┼──────┤
1474       │INVALID_RULE        │  122 │
1475       ├────────────────────┼──────┤
1476       │INVALID_LIMIT       │  123 │
1477       ├────────────────────┼──────┤
1478       │INVALID_FAMILY      │  124 │
1479       ├────────────────────┼──────┤
1480       │INVALID_LOG_LEVEL   │  125 │
1481       ├────────────────────┼──────┤
1482       │INVALID_AUDIT_TYPE  │  126 │
1483       ├────────────────────┼──────┤
1484       │INVALID_MARK        │  127 │
1485       ├────────────────────┼──────┤
1486       │INVALID_CONTEXT     │  128 │
1487       ├────────────────────┼──────┤
1488       │INVALID_COMMAND     │  129 │
1489       ├────────────────────┼──────┤
1490       │INVALID_USER        │  130 │
1491       ├────────────────────┼──────┤
1492       │INVALID_UID         │  131 │
1493       ├────────────────────┼──────┤
1494       │INVALID_MODULE      │  132 │
1495       ├────────────────────┼──────┤
1496       │INVALID_PASSTHROUGH │  133 │
1497       ├────────────────────┼──────┤
1498       │INVALID_MAC         │  134 │
1499       ├────────────────────┼──────┤
1500       │INVALID_IPSET       │  135 │
1501       ├────────────────────┼──────┤
1502       │INVALID_ENTRY       │  136 │
1503       ├────────────────────┼──────┤
1504       │INVALID_OPTION      │  137 │
1505       ├────────────────────┼──────┤
1506       │INVALID_HELPER      │  138 │
1507       ├────────────────────┼──────┤
1508       │INVALID_PRIORITY    │  139 │
1509       ├────────────────────┼──────┤
1510       │INVALID_POLICY      │  140 │
1511       ├────────────────────┼──────┤
1512       │MISSING_TABLE       │  200 │
1513       ├────────────────────┼──────┤
1514       │MISSING_CHAIN       │  201 │
1515       ├────────────────────┼──────┤
1516       │MISSING_PORT        │  202 │
1517       ├────────────────────┼──────┤
1518       │MISSING_PROTOCOL    │  203 │
1519       ├────────────────────┼──────┤
1520       │MISSING_ADDR        │  204 │
1521       ├────────────────────┼──────┤
1522       │MISSING_NAME        │  205 │
1523       ├────────────────────┼──────┤
1524       │MISSING_SETTING     │  206 │
1525       ├────────────────────┼──────┤
1526       │MISSING_FAMILY      │  207 │
1527       ├────────────────────┼──────┤
1528       │RUNNING_BUT_FAILED  │  251 │
1529       ├────────────────────┼──────┤
1530       │NOT_RUNNING         │  252 │
1531       ├────────────────────┼──────┤
1532       │NOT_AUTHORIZED      │  253 │
1533       ├────────────────────┼──────┤
1534       │UNKNOWN_ERROR       │  254 │
1535       └────────────────────┴──────┘
1536
1537       Note that return codes of --query-* options are special: Successful
1538       queries return 0, unsuccessful ones return 1 unless an error occurred
1539       in which case the table above applies.
1540

SEE ALSO

1542       firewall-applet(1), firewalld(1), firewall-cmd(1), firewall-config(1),
1543       firewalld.conf(5), firewalld.direct(5), firewalld.dbus(5),
1544       firewalld.icmptype(5), firewalld.lockdown-whitelist(5), firewall-
1545       offline-cmd(1), firewalld.richlanguage(5), firewalld.service(5),
1546       firewalld.zone(5), firewalld.zones(5), firewalld.policy(5),
1547       firewalld.policies(5), firewalld.ipset(5), firewalld.helper(5)
1548

NOTES

1550       firewalld home page:
1551           http://firewalld.org
1552
1553       More documentation with examples:
1554           http://fedoraproject.org/wiki/FirewallD
1555

AUTHORS

1557       Thomas Woerner <twoerner@redhat.com>
1558           Developer
1559
1560       Jiri Popelka <jpopelka@redhat.com>
1561           Developer
1562
1563       Eric Garver <eric@garver.life>
1564           Developer
1565
1566
1567
1568firewalld 0.9.3                                                FIREWALL-CMD(1)
Impressum